No, if the certificate itself is in the truststore then it is deemed to be trusted - the CA certificate does not need to be in there as well.
Colm. On Fri, Feb 27, 2015 at 7:37 AM, Jose María Zaragoza <[email protected]> wrote: > 2015-02-26 23:38 GMT+01:00 Colm O hEigeartaigh <[email protected]>: > > I did a quick test using CXF's WebClient doing a "GET" on > > https://www.google.com. It works fine when you don't specify any > > TLSClientParameters as expected, as it picks up the default cacerts. > > However, when I added the following it fails (also as expected): > > > > <http:conduit name="https://.*";> > > <http:tlsClientParameters disableCNCheck="true"> > > <sec:trustManagers> > > <sec:keyStore type="jks" password="cspass" > > resource="clientstore.jks"/> > > </sec:trustManagers> > > </http:tlsClientParameters> > > </http:conduit> > > > > Colm. > > OK. That's right. > But , if you import Google certificate into clientstore.jks but you > don't import its CA certificate ( GeoTrust CA , in this case ), should > it fail ? This is my question > I don't know what is the validation path that JSSE follows > > Regards > > > > > > > On Thu, Feb 26, 2015 at 10:07 PM, Jose María Zaragoza < > [email protected]> > > wrote: > > > >> 2015-02-26 22:23 GMT+01:00 Sergey Beryozkin <[email protected]>: > >> > What I meant is that you do use a self signed cert to sign a > previously > >> > generated certificate but do not import this self signed cert into the > >> > truststore which would emulate the same situation you have now without > >> > having to provide a test where well known providers sign a given > server > >> > certificate. > >> > >> OK > >> I'll try it > >> > >> Thanks > >> > >> > > >> > Sergey > >> > > >> > > >> > > >> > On 26/02/15 18:51, Jose María Zaragoza wrote: > >> >> > >> >> 2015-02-26 18:09 GMT+01:00 Sergey Beryozkin <[email protected]>: > >> >>> > >> >>> Hi > >> >>> > >> >>> I guess this is what Colm is implying, that the actual problem that > it > >> >>> does > >> >>> work. > >> >>> Can it be reproduced by a given server certificate with a > self-signed > >> >>> certificate validating it ? > >> >> > >> >> > >> >> > >> >> Well, I don't have a testcase right now. I'll try to reproduce it . > >> >> > >> >> With a self signed certificate , the behaviour also is the same > >> >> But that makes sense ( for me ) , because your CA is yourself, so you > >> >> could trust on it ( if the certificate is imported into your keystore > >> >> ) > >> >> > >> >> Regards > >> >> > >> >> > >> >>> > >> >>> Cheers, Sergey > >> >>> > >> >>> > >> >>> > >> >>> > >> >>> On 26/02/15 16:55, Jose María Zaragoza wrote: > >> >>>> > >> >>>> > >> >>>> 2015-02-26 17:47 GMT+01:00 Colm O hEigeartaigh < > [email protected]>: > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> It does, but only if no truststore has been configured in CXF. Do > you > >> >>>>> have a > >> >>>>> test-case that reproduces this problem? > >> >>>> > >> >>>> > >> >>>> > >> >>>> > >> >>>> Thanks, not really > >> >>>> Indeed, it's not a problem because my client works fine , but I > cannot > >> >>>> understand why. I only imported the server certificate, no the > others > >> >>>> in chain > >> >>>> > >> >>>> As I don't know how the underlying certificate validation is > performed > >> >>>> , I don't know if this behaviour is caused by default settings in > CXF > >> >>>> or another reason. > >> >>>> > >> >>>> Regards > >> >>>> > >> >>>> > >> >>>>> > >> >>>>> Colm. > >> >>>>> > >> >>>>> On Thu, Feb 26, 2015 at 4:39 PM, Jose María Zaragoza > >> >>>>> <[email protected]> > >> >>>>> wrote: > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> 2015-02-26 17:14 GMT+01:00 Colm O hEigeartaigh < > [email protected] > >> >: > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> You are using "keyManagers" instead of "trustManagers" in the > >> >>>>>>> configuration. "keyManagers" is used when you need to specify a > key > >> >>>>>>> for > >> >>>>>>> client authentication. "trustManagers" is used to verify trust > in > >> the > >> >>>>>>> server's cert. As you have no "trustManagers" configuration > here, I > >> >>>>>>> guess > >> >>>>>>> it is falling back on the default JVM settings > >> >>>>>>> (javax.net.ssl.trustStore) > >> >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> Sorry, it was a typo. I'm using trustManagers > >> >>>>>> > >> >>>>>> <sec:trustManagers> > >> >>>>>> <sec:keyStore type="JKS" password="*******" > >> >>>>>> resource="truststore.jks"/> > >> >>>>>> </sec:trustManagers> > >> >>>>>> <sec:cipherSuitesFilter> > >> >>>>>> > >> >>>>>> Do you know if JSSE ( I guess it's the underlying TLS > >> implementation ) > >> >>>>>> uses default JVM truststore for checking certificates ? > >> >>>>>> > >> >>>>>> Thanks > >> >>>>>> > >> >>>>>>> > >> >>>>>>> Colm. > >> >>>>>>> > >> >>>>>>> On Thu, Feb 26, 2015 at 11:32 AM, Jose María Zaragoza > >> >>>>>>> <[email protected]> > >> >>>>>>> wrote: > >> >>>>>>> > >> >>>>>>>> Hello: > >> >>>>>>>> > >> >>>>>>>> Maybe this question a bit off topic , but I try to understand > why > >> my > >> >>>>>>>> client works. > >> >>>>>>>> > >> >>>>>>>> I use CXF 2.7.8 to call a remote webservice by HTTPS (SSL /TLS) > >> >>>>>>>> This is my settings: > >> >>>>>>>> > >> >>>>>>>> <http-conf:conduit name="https://.*";> > >> >>>>>>>> <http-conf:tlsClientParameters> > >> >>>>>>>> <sec:keyManagers keyPassword="xxxxxxxx"> > >> >>>>>>>> <sec:keyStore type="JKS" password="xxxxxxxx" > >> >>>>>>>> resource="truststore.jks"/> > >> >>>>>>>> </sec:keyManagers> > >> >>>>>>>> > >> >>>>>>>> I've imported SSL server certificate into truststore.jks > >> >>>>>>>> And it works fine. > >> >>>>>>>> > >> >>>>>>>> But this certificate is signed by a CA chain ( from . > godaddy.com) > >> , > >> >>>>>>>> and ( I think ) I don't have imported any certificate from > godaddy > >> >>>>>>>> Why does my client trust in the server certificate ? > >> >>>>>>>> Is not performed some Certification Path Validation process ? > >> >>>>>>>> > >> >>>>>>>> Thanks and regards > >> >>>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> -- > >> >>>>>>> Colm O hEigeartaigh > >> >>>>>>> > >> >>>>>>> Talend Community Coder > >> >>>>>>> http://coders.talend.com > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> -- > >> >>>>> Colm O hEigeartaigh > >> >>>>> > >> >>>>> Talend Community Coder > >> >>>>> http://coders.talend.com > >> >>> > >> >>> > >> >>> > >> >>> > >> >>> -- > >> >>> Sergey Beryozkin > >> >>> > >> >>> Talend Community Coders > >> >>> http://coders.talend.com/ > >> >>> > >> >>> Blog: http://sberyozkin.blogspot.com > >> > > >> > > >> > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
